Thanks Manos for sending this, On Mon, Jul 08, 2024 at 10:09:49AM +0300, Manos Pitsidianakis wrote: > When reading input audio in the virtio-snd input callback, > virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit > the data buffer. This is because we use the buffer->size field as a > total-so-far accumulator instead of byte-size-left like in TX buffers. > > This triggers an out of bounds write if the size of the virtio queue > element is equal to virtio_snd_pcm_status, which makes the available > space for audio data zero.
Do you mean that the guest driver has set up a request in the rx queue in which the writable chain of descriptors only contains the status? Is this correct? Is `available` indicating the available space in the virtqueue? Thanks, Matias.
